1--TEST-- 2Bug #70219 Use after free vulnerability in session deserializer 3--SKIPIF-- 4<?php 5if (!extension_loaded('session')) die('skip session extension not available'); 6?> 7--FILE-- 8<?php 9class obj implements Serializable { 10 var $data; 11 function serialize() { 12 return serialize($this->data); 13 } 14 function unserialize($data) { 15 session_start(); 16 session_decode($data); 17 } 18} 19 20$inner = 'ryat|a:1:{i:0;a:1:{i:1;'; 21$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; 22 23$data = unserialize($exploit); 24 25for ($i = 0; $i < 5; $i++) { 26 $v[$i] = 'hi'.$i; 27} 28 29var_dump($data); 30?> 31--EXPECTF-- 32Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d 33 34Notice: unserialize(): Error at offset 55 of 56 bytes in %s on line %d 35bool(false) 36
